Addressing Privacy Regulations and Cyber Risk: Biometric Privacy

Amy A. Pines, JD, RPLU, CPLP, Senior Vice President, Cyber Liability  

What follows is the first in a series of articles that will explore the history and evolution of privacy regulations, including recent key enforcement actions, verdicts and settlements and recommendations for insureds on how to address the incredibly complicated regulatory rubric. This first article focuses on biometric privacy regulation in the United States.

 Beginning in 2019, ransomware attacks surged - significantly disrupting the cyber insurance industry, both with frequency and severity of losses. Over time, however, the cyber claims landscape has proven anything but static. It evolved from the once prevalent and problematic payment card industry claims and data breaches, to business email compromise, to computer crime and ransomware, and the evolution is ongoing. As privacy regulations become increasingly prevalent and complex, and as settlements and damages amounts increase, it is imperative to monitor changes in and updates of the privacy regulatory landscape to protect against noncompliance and potential resultant claims and losses. 

 In 2008, the Illinois Biometric Information Privacy Act (“BIPA”) was the first comprehensive biometric privacy law passed in the U.S. It regulates the collection, storage, retention, safeguarding, use, sharing and destruction of biometric information and biometric identifiers[1] by private companies (with certain exceptions and exclusions). A private business must comply with BIPA if it collects any biometric information of  Illinois residents. Compliance means requesting and receiving informed, written consent from each data subject. It also means agreeing not to sell or lease any of the data for profit. There are also specific restrictions on disclosure of the data and security requirements for companies in possession of the data. But the most unique and potentially significant aspect of BIPA is that it includes a private right of action for aggrieved individuals to recover for each violation, with no requirement for actual damage as follows: (1) liquidated damages of $1,000 or actual damages, whichever amount is greater, for negligent violations; or (2) liquidated damages of $5,000 or actual damages, whichever amount is greater, for intentional or reckless violations. Plaintiffs are also entitled to recover reasonable attorney fees and related court costs, including expert witness fees and other litigation expenses.

 BIPA litigation is also noteworthy because it is the result of the first biometric regulation in the US and, as mentioned earlier, provides for the broadest private right of action for plaintiffs. And, due in part to the private right of action, case count is voluminous and continues to increase. In 2021, at least 89 court rulings referenced BIPA – a 400% increase from 2019.[2] 

 Arguably, the most prominent case involving BIPA is Rosenbach v. Six Flags Entertainment Corporation,[3] which held that a consumer need not demonstrate an adverse effect or specific harm to have standing to sue under BIPA. Instead, bare procedural violations of the statute are sufficient. This ruling was at odds with the way in which many privacy laws are written and enforced around the country – namely, because plaintiffs must prove that they sustained some form of damage or harm as a result of the illegal disclosure of their personal information. However, this ruling was limited to legal standing in an Illinois state court. So, there may be a higher threshold to establish standing in federal court. See TransUnion, LLC v. Ramirez, 141 S. Ct. 2190 (2021), which held that  only a plaintiff concretely harmed by a defendant’s violation of the Fair Credit Reporting Act (“FCRA”) has Article III standing to seek damages.[4] While TransUnion was specific to the FCRA, it may have implications for BIPA.[5] Future case law will settle this issue. 

 Equally compelling are the settlements recorded to date under BIPA. In 2021, a California federal court judge gave final approval for a settlement in a class action lawsuit against Facebook. Under the terms of the settlement, Facebook agreed to pay $650M to 1.6M Illinois residents for violations of BIPA (specifically related to the use of unauthorized facial tagging). Also in 2021, a federal court in Illinois granted preliminary approval to a $92M settlement reached in the TikTok multi-district litigation, the Six Flags litigation referenced above received preliminary approval for a $36M settlement, an Illinois state court judge approved a $25M class action settlement between ADP and its employees, and Walmart reached a $10 million settlement with current and former employees – all based on BIPA violations.

 Similar legislation goes back to 2009 when Texas enacted the Capture or Use Biometric Identifier Act, which  is most greatly distinguished from BIPA by the fact it has no private right of action (the “Texas Act”). Instead, it is only within the discretion of the Attorney General of Texas to pursue any violations.

 In 2017, Washington became the third state to enact a specific biometric privacy legislation, the Washington Biometric Privacy Act. It is the least strict of the three. It does not require notice or consent, and in some circumstances contains a broad security exception exempting entities collecting biometric information for “security purposes.” Like the Texas Act, it provides no private right of action. 

 More recently, in 2021, New York and Colorado passed biometric-specific laws, but each is less stringent than BIPA. A number of other states, such as Arkansas, have broader privacy statues that regulate biometric data by including it in the statutory definition of personal information.

 As of the posting of this article, Maine, Maryland, Massachusetts, Missouri, Kentucky, New York and West Virginia all have some form of a proposed biometric regulation bill pending. In February, 2022, California introduced a bill to expand the protections of the California Privacy Rights Act to also include biometric information. 

 Also in February, 2022, the Illinois Supreme Court made a much anticipated decision in the matter of McDonald v. Symphony Bronzeville Park, LLC.[6] The Court held that the Illinois Workers’ Compensation Act (“IWCA”) does not preempt claims under BIPA. This decision eliminated a technique frequently used by employers to defend against BIPA claims (essentially asserting that the IWCA was an exclusive remedy for work-related “injuries”).  The Court held that a BIPA violation and the resultant claim for liquidated damages are clearly distinguished from the actual physical injuries that are covered by the IWCA. A claim against an employer for an alleged violation of BIPA would not be covered by IWCA and cannot be preempted by IWCA.

 This flurry of activity – both legislative and judicial – will undeniably impact biometric privacy standards and will have a secondary impact on the cyber insurance industry. 

 For more information about privacy regulations in the US and abroad, additional case law examples, and recommendations for insureds on how to manage their exposures, read Munich Reinsurance America, Inc.’s full white paper, Understanding Privacy Regulations and Their Impact on US Entities, available at: Cyber Risk | Munich Re US

[1] “Biometric information” means any information based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of “biometric identifier.” “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, scan of the hand or face geometry, palm veins, odor or scent and ear features. Examples of exclusions to this definition include writing samples, photographs, tattoo descriptions, and information captured in a health care setting or under HIPAA, etc. 740 ILCS 14/10.

[2] [2] Kristen L. Bryan, Christina Lamoureux, and Dan Lonergan, 2021 Year In Review: Biometric and AI Litigation, The National Law Review, Vol. XII, No. 84, Jan. 5, 2022.

[3] Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019).

[4] For additional insight into the decision, see 135 Harv. L. Rev 333, Nov. 10, 2021, https://harvardlawreview.org/2021/11/transunion-v-ramirez/.

[5] Robert Cattanach, Kent Schmidt and Melonie Jordan, No Concrete Harm, No Standing” – Supreme Court’s TransUnion v. Ramirez Decision Clarifies Federal Court Standing Requirements for CCPA and BIPA Class Actions, (June 20, 2021), https://dorsey.com/newsresources/publications/client-alerts/2021/06/supreme-court-transunion-v-ramirez-decision. 

[6] McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511 (2022).